CISM Definitions Flashcards
_____ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text.
Base64 Encoding
Description of the logical grouping of capabilities that manage the objects necessary to process
information and support the enterprise’s objectives.
Application architecture
A tool for managing organizational strategy that uses weighted measures for the areas of financial
performance (lag) indicators, internal operations, customer measurements, learning and growth
(lead) indicators, combined to rate the enterprise
Business balanced scorecard
An application software deployed at multiple points in an IT architecture. It is designed to detect and
potentially eliminate virus code before damage is done and repair or quarantine files that have
already been infected.
Antivirus software
Logical and physical controls to define a perimeter between the organization and the outside world
Boundary
Preventing, mitigating and recovering from disruption
Continuity
The translation of the enterprise’s mission from a statement of intention into performance targets
and results
Business goal
An algorithm to perform encryption
Cipher
All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.
Bus configuration
The technique used for selecting records in a file, one at a time, for processing, retrieval or
storage.The access method is related to, but distinct from, the file organization, which determines
how the records are stored.
Access Method
_____ is a way to identify, acquire and retain customers. _____ is also an industry term for software solutions
that help an enterprise manage customer relationships in an organized manner.
Customer relationship management (CRM)
Any process that directly reduces a threat or vulnerability.
Countermeasure
An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.
Abend
A mechanism that is used to isolate applications from each other within the context of a running
operating system instance.
Application containerization
The examination of ratios, trends, and changes in balances and other values between periods to
obtain a broad understanding of the enterprise’s financial or operational position and to identify
areas that may require further or closer investigation
Analytical technique
Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal.
Alternative routing
The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation.
Amortization
A third party that delivers and manages applications and computer services, including security
services to multiple users via the Internet or a private network.
Application or managed service provider (ASP/MSP)
Device that performs the functions of both a bridge and a router.
Brouter
An internal computerized table of access rules regarding the levels of computer access permitted to logon ID and computer terminals. Also referred to as conrol tables
Access Control List (ACL)
A program that translates programming language (source code) into machine executable instructions
(object code).
Compiler
A method/process by which management and staff of all levels collectively identify and evaluate risk
and controls with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager.
Control risk self-assessment
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: A. storage capacity and shelf life. B. regulatory and legal requirements. C. business strategy and direction. D. application systems and media.
Answer : D
Explanation: Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and
shelf life are important but secondary issues
Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.
Balanced scorecard (BSC)
A public algorithm that operates on plaintext in blocks (strings or groups) of bits
Cipher
An internal computerized table of access rules regarding the levels of computer access permitted to
logon IDs and computer terminals.
Access control table
A process for protecting very-high value assets or in environments where trust is an issue. Access to
an asset requires two or more processes, controls or individuals.
Compartmentalization
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message
Asymmetric key (public key)
A trusted third party that serves authentication infrastructures or enterprises and registers entities
and issues them certificates
Certificate (Certification) authority (CA)
Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact
of losing the support of any resource to an enterprise, establishes the escalation of that loss over
time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes
and the supporting system
Business impact analysis/assessment (BIA)
The process of establishing the effective design and operation of automated controls within an
application.
Application benchmarking
The individual accountable for delivering the benefits and value of an IT-enabled business investment
program to the enterprise.
Business sponsor
A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP).
Challenge/response token
An alternate facility to continue IT/IS operations when the primary data processing (DP) center is unavailable.
Backup center
The system by which enterprises are directed and controlled. The board of directors is responsible for
the governance of their enterprise. It consists of the leadership and organizational structures and
processes that ensure the enterprise sustains and extends strategies and objectives.
Corporate Governance
A public algorithm that supports keys from 128 bits to 256 bits in size
Advanced Encryption Standard (AES)
The thorough analysis and significant redesign of business processes and management systems to
establish a better performing structure, more responsive to the customer base and market
conditions, while yielding material cost savings.
Business process reengineering (BPR)
The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that a business process will achieve its objectives.
Business process control
The individual, group or entity that is ultimately responsible for a subject matter, process or
scope.
Accountable party
The processes, rules, and deployment mechanisms that control access to the information systems, resources, and physical access to premises
Access Control
The risk of reaching an incorrect conclusion based upon audit findings.
Audit risk
A type of challenge-response test used in computing to ensure that the response is not generated by
a computer. An example is the site request for web site users to recognize and type a phrase posted
using various challenging-to-read fonts
Completely Automated Public Touring test to tell Computers and Humans Apart (CAPTCHA)
A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly
by the receiver without errors, or that the receiver is now ready to accept a transmission.
Acknowledgment (ACK)
This approach allows IS auditors to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.
Continuous audit approach
Process of developing advance arrangements and procedures that enable an enterprise to respond to
an event that could occur by chance or unforeseen circumstances.
Contingency Planning
The highest ranking individual in an enterprise
Chief executive officer (CEO)
The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that the business objectives will be achieved and undesired events will be prevented or
detected.
Business control
An IS backup facility that has the necessary electrical and physical components of a computer facility,
but does not have the computer equipment in place.
Cold site
The individual primarily responsible for managing the financial risk of an enterprise.
Chief financial officer (CFO)
Which of the following is the BEST method or technique to ensure the effective
implementation of an information security program?
A. Obtain the support of the board of directors.
B. Improve the content of the information security awareness program.
C. Improve the employees’ knowledge of security policies.
D. Implement logical access controls to the information systems.
Answer : A
Explanation: It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (‘ are measures proposed to ensure the efficiency of the information security program implementation, but are of less
significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program
The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business
strategies, and planning, resourcing and managing the delivery of IT services, information and the
deployment of associated human resources
Chief information officer (CIO)
Common path or channel between hardware devices.
Bus
A statement of the desired result or purpose to be achieved by implementing control procedures in a
particular process.
Control objective
A catalogue of attack patterns as “an abstraction mechanism for helping describe how an attack
against vulnerable systems or networks is executed” published by the MITRE Corporation
Common Attack Pattern Enumeration and Classification (CAPEC)
The consolidation in 1998 of the “Cadbury,” “Greenbury” and “Hampel” Reports
Combined Code on Corporate Governance
An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning
Answer : B
Explanation: Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.
The existing description of the fundamental underlying design of the components of the business
system before entering a cycle of architecture review and redesign
Baseline architecture
Any formal declaration or set of declarations about the subject matter made by management.
Assertion
The means of managing risk, including policies, procedures, guidelines, practices or organizational
structures, which can be of an administrative, technical, management, or legal
nature
Control
A service that connects programs running on internal networks to services on exterior networks by
creating two connections, one from the requesting client and another to the destination service
Application proxy
______ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text, which is easier for users
Base58 Encoding
Who is ultimately responsible for the organization’s information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
Answer : C
Explanation: The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The
chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s information.
The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK
Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was
chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as
the Cadbury Report.
Cadbury
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.
Batch control
A proven activity or process that has been successfully used by multiple enterprises.
Best practices
Formal inspection and verification to check whether a standard or set of guidelines is being followed,
records are accurate, or efficiency and effectiveness targets are being met
Audit
Automatic or manual process designed and established to continue critical business processes from
point-of-failure to return-to-normal.
Alternate process